Giters

tenable / terrascan

Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.

Home Page:https://runterrascan.io

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Rule ID AC_K8S_0080 broken

lisenet opened this issue · comments

commented
  • terrascan version: 1.18.3
  • Operating System: Ubuntu 20.04 LTS

Description

Terrascan does not detect seccompProfile. This is a bug in a policy definition.

What I Did

Create a Kubernetes deployment configuration file with seccompProfile defined:

mkdir ./test

cat <<EOF > ./test/httpd-healthcheck.yml
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: httpd-healthcheck
  namespace: httpd-healthcheck
  labels:
    app: httpd-healthcheck
spec:
  replicas: 1
  selector:
    matchLabels:
      app: httpd-healthcheck
  template:
    metadata:
      name: httpd-healthcheck
      labels:
        app: httpd-healthcheck
    spec:
      securityContext:
        seccompProfile:
          type: "RuntimeDefault"
      containers:
        - name: httpd-healthcheck
          image: example/httpd-healthcheck:1.0.0
          securityContext:
            allowPrivilegeEscalation: false
            seccompProfile:
              type: "RuntimeDefault"
EOF

Run terrascan command against it:

cd ./temp/
terrascan scan -v -i k8s --scan-rules="AC_K8S_0080" ./test/

This is the output:

	Description    :	Default seccomp profile not enabled will make the container to make non-essential system calls
	File           :	healthcheck-deployment.yml
	Line           :	2
	Severity       :	MEDIUM
	Rule Name      :	secCompProfile
	Rule ID        :	AC_K8S_0080
	Resource Name  :	httpd-healthcheck
	Resource Type  :	kubernetes_deployment
	Category       :	Identity and Access Management

The policy is configured to look for secCompProfile when it should be seccompProfile.

See here.